Web application firewalls may not fix Web application security issues

Attackers may target Web applications as much as they ever did, but there are increasing
questions about how best to fit Web application firewalls into corporate defenses. Some security
consultants have found they aren't worth the expense and effort needed to purchase, implement and
manage them, given the disruption they can cause in enterprise network operations. Plus, without
real attention to proper tuning, savvy hackers can often breeze past them.

Jason Haddix, HP Fortify's director of penetration testing, noted that "even good WAFs [Web
application firewalls] can go wrong." He said his team "recently did an evaluation of the top 10
WAFs and found they can be bypassed the majority of the time due to configuration flaws."

The cautionary tone about WAFs comes, ironically, at a time when attacks against Web
applications make up an increasing percentage of port-based attacks. According to the

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Akamai's latest State of the Internet
report (for the second quarter of 2013), attacks against Web application ports 80 and 443
increased, putting them in spots one and two among the ten most-attacked ports. Since Akamai first
began releasing the reports in 2008, this was the first time Microsoft-DS, port 445, wasn't in
first place.

WAFs have emerged -- at least in part -- as an antidote to the difficulty of improving the
security of Web applications themselves. Even with groups such as the Open Web Application Security
Project (OWASP) evangelizing the importance of integrating security into the Web development
process -- and with OWASP releasing a yearly "top
10" report in order to raise awareness of the most critical risks -- it's still an uphill
battle.

The challenges presented in securing Web applications are the impetus for recommendations from
analyst firms such as Gartner for the implementation of a WAF. According to their report on the WAF market, published in June 2012, WAF sales amounted
to approximately $278 million in 2011, up %17 from the previous year. Companies seem to want the
extra layer of protection offered by WAF, and the Forrester survey indicated that in most
organizations, a WAF is usually implemented or on the roadmap.

But is this Band-Aid approach effective? Respected security advisory firms Gartner and Securosis
noted several specific barriers to an effective WAF deployment. When applying any new security
control, there's a fear of affecting applications and the user experience and the business
processes they enable. Gartner specifically warned of overly restrictive WAF policies causing
disruptions when the application is changed, ultimately resulting in a loosening of standards and
therefore less effective protection.

Some of these problems could be the result of unrealistic expectations, according to Securosis,
especially if an organization is simply trying to find a cheaper way to deploy application
security. Frequently, the root cause is a failure to understand that compliance initiatives and
security don't always overlap.

But the most significant roadblock to a successful WAF implementation may be a human one. The
integration of this technology into an environment requires increased resources, which many smaller
organizations simply don't have. Gartner noted that WAFs come with a high initial deployment cost
compared to other technologies. This is partly due to hardware or software licensing costs,
but more attributable to the required expertise of personnel who can manage a WAF effectively.

In a 2011 report, application security consultant Larry Suto evaluated six WAFs and determined
their average effectiveness to be 62% -- after configuration by an expert. He recommended – in
order to provide the maximum benefit -- that WAFs "be tuned by a trained professional." He also
advised their use in conjunction with other application security tools, such as dynamic analysis
security testing, static analysis security testing, risk management and an intrusion prevention
system.

HP Fortify's Haddix agreed that WAFs require care and feeding by experts: "We looked into how
WAF's determine what addresses they need to check and not check. We found that some were configured
to read this through HTTP headers, which can be completely forged by the attacker. We simply told
the WAF's that the connections were coming from 127.0.0.1 (the home address of the WAF itself), and
it wouldn't filter our traffic. This wasn't a technical hack, but an intended 'feature' that a lot
of deployments were leaving open to attackers.

"It just goes to show," Haddix added, "you need someone to understand the WAF in depth, just
like 10 years ago when you had a dedicated IDS [intrusion detection system] guy on staff to monitor
that emerging technology."

Tony Bourke, a private consultant specializing in Unix administration and networking, said he
has the same concerns about WAFs: "For me, as a consultant, they're kind of like toddlers in a
fine-china shop. You can't just put them somewhere and then take your eye off of them. You turn
your back for a minute and they can get into lots of trouble -- expensive trouble."

Greg Ferro, a freelance consultant and author of
the EtherealMind blog, went so far as to say he "won't work on WAFs for liability reasons."
Developers, he said, are dismissive of security requirements and unsure how to communicate about
them with infrastructure managers.

"DevOps takes some steps in the this direction to solve the communication gap," Ferro said, "but
ultimately, DevOps means the death of WAF, since it will be replaced by automated and unit testing
in the software as part of the continuous deployment tool chain. Instead of post-fixing a fault
code, DevOps promotes the idea of continuous integration and testing that would detect common
security flaws that WAFs [are] meant to address."

SearchMidmarketSecurity.com’s tutorials offer IT professionals in-depth lessons and technical advice on the hottest topics in the midmarket IT security industry. Through our tutorials we seek to provide site members with the foundational knowledge needed to deal with the increasingly challenging job of keeping their organizations secure.